This post is a slight modification of the official wiki for setting up Samba as an AD Domain Member. The wiki mentioned is a great article, but as described it doesn’t work on FreeBSD. There are two extra changes that you have to make and these changes are described below.
In my lab, I built a Windows 2012R2 domain controller/DNS and a FreeBSD 10.1 VM running Samba 4.4.5.
My Windows domain is kdomain.local and the NETBIOS name is MYDOMAIN. They are on the same subnet and the IP of the BSD VM is in the DNS. Let’s verify the prerequisites before we install Samba. Make sure that everything checks out.
This is the full name of my BSD VM.
This is what I have in resolv.conf. 192.168.1.19 is the IP of the Windows box.
cat /etc/resolv.conf search kdomain.local nameserver 192.168.1.19
This is the hostname and the IP of my BSD box.
cat /etc/rc.conf hostname="freebsd03.kdomain.local" ifconfig_em0="inet 192.168.1.18 netmask 255.255.255.0"
Make sure it resolves properly in DNS.
host -t A freebsd03.kdomain.local freebsd03.kdomain.local has address 192.168.1.18
Check the date/time on both systems. They have to be the same. If the time is not the same, it’s fine, but they have to be in different time zones.
date Fri Aug 26 19:26:24 EDT 2016
Another check using getent in case you have something in /etc/hosts.
getent hosts freebsd03 192.168.1.18 freebsd03.kdomain.local
If everything checks out, you can install samba.
pkg install samba44
This is where Samba expects the config file which doesn’t exist by default.
smbd -b | grep CONFIGFILE CONFIGFILE: /usr/local/etc/smb4.conf
The log dir is automatically created under /var/log/samba4. If you need to change the log dir or any other input parameters, look at /usr/local/etc/rc.d/samba_server file, but don’t change this file. Use the parameters there to change them in /etc/rc.conf.
Before you go further, you need to know what’s realm, NETBIOS and workgroup in Samba terms. They are kind of misleading as you can see below from the samba config file. On the domain controller, open up a command prompt and type:
set | find "DOMAIN" USERDNSDOMAIN=KDOMAIN.LOCAL USERDOMAIN=MYDOMAIN USERDOMAIN_ROAMINGPROFILE=MYDOMAIN
My domain is KDOMAIN.LOCAL and the NETBIOS domain name is MYDOMAIN. The hostname of my domain controller is DC03, but that’s irrelevant.
Now create the Samba config file which is /usr/local/etc/smb4.conf.
[global] netbios name = freebsd03 realm = KDOMAIN.LOCAL workgroup = MYDOMAIN security = ADS winbind enum groups = Yes winbind enum users = Yes winbind nss info = rfc2307 idmap config *:range = 2000-9999 idmap config * : backend = tdb
As you can see the netbios name is not the netbios name of your domain controller, it’s the hostname of your BSD box. The realm is the domain name and the workgroup is the NETBIOS name of the domain controller. Yep, it is misleading, but it is what it is.
Previously, I mentioned that there are two changes that you have to make that are different than the original wiki. So, this is the first change. In the original wiki article, they suggest picking up one of the three idmap modules.
# Just adding the following three lines is not enough!! # - idmap config ad # - idmap config rid # - idmap_config_autorid
If you go ahead and implement any of them, you won’t be able to enumerate the domain users with getent. More info here. So, skip that and just do the config file as described above.
Now that you have your config in place, check for any errors. Just do testparm.
testparm Load smb config files from /usr/local/etc/smb4.conf Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] realm = KDOMAIN.LOCAL workgroup = MYDOMAIN security = ADS winbind enum groups = Yes winbind enum users = Yes winbind nss info = rfc2307 idmap config *:range = 2000-9999 idmap config * : backend = tdb
If everything is syntax OK, you can now join the BSD box to the domain.
net ads join -U administrator Enter administrator's password: Using short domain name -- MYDOMAIN Joined 'FREEBSD03' to dns domain 'kdomain.local'
If you go back to your domain controller and open the ADUC (Active Directory Users and Computers), you’ll see your BSD hostname there.
Add these two lines to /etc/rc.conf.
Now, you can start Samba with service samba_server start. It also starts winbind daemon.
service samba_server start Performing sanity check on Samba configuration: OK Starting nmbd. Starting smbd. Starting winbindd.
Do all the checks.
wbinfo -u MYDOMAIN\administrator MYDOMAIN\guest MYDOMAIN\klimenta MYDOMAIN\krbtgt
wbinfo -g MYDOMAIN\winrmremotewmiusers__ MYDOMAIN\domain computers ...
Now, do getent passwd. You won’t receive any domain users.
This is the second change that doesn’t apply from the official wiki. You’ll have to modify /etc/nsswitch.conf, so it looks like this. You have to replace compat with files for group and passwd entries.
group: files winbind group_compat: nis hosts: files dns networks: files passwd: files winbind passwd_compat: nis
Reboot, and do getent passwd and getent group at this point. If you get the domain users and group, you are all set.
If you use pf, make sure that these ports are opened.
At this point, you’ll have the OS fully configured as a domain member, but you still can’t log in to FreeBSD with a domain account. In order to do that, we’ll have to make some changes.
Make sure you have these lines in smb.conf, restart samba service if necessary.
template shell = /bin/sh template homedir = /home/%D/%U
The template shell and homedir means that each domain user will use /bin/sh for a shell and each home directory is expected to be under /home/ + domain name + the user name, in my case /home/MYDOMAIN/klimenta. Next, we should create a home dir for one of the users. In my case:
mkdir -p /home/MYDOMAIN/klimenta cd /home/MYDOMAIN chown -R email@example.com klimenta
Finally, the following three files needs to be modified: /etc/pam.d/sshd, /etc/pam.d/system and /etc/ssh/sshd_config. Reboot after the modifications.
In /etc/ssh/sshd_config, make sure these two lines are uncommented and set to yes and no.
PasswordAuthentication yes ChallengeResponseAuthentication no
In /etc/pam.d/sshd, make sure you add this line three times so it looks like this. The order is also important.
# auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_winbind.so #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account sufficient /usr/local/lib/pam_winbind.so account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so want_agent session required pam_permit.so # password password sufficient /usr/local/lib/pam_winbind.so #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass
In /etc/pam.d/system, make sure you add this line three times so it looks like this. The order is also important.
# auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_winbind.so #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account account sufficient /usr/local/lib/pam_winbind.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so want_agent session required pam_lastlog.so no_fail # password password sufficient /usr/local/lib/pam_winbind.so #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass
At this point, after the reboot of course, you can log as a domain member.